70-270 Windows XP TechNotes
Local User and Group Accounts


- Local User and Group Accounts
- Account Settings
- Account Policy
- User Rights Assignments

Local User and Group Accounts

Windows XP allows you to create local user and group accounts for which you can assign permissions to resources and to which you can assign rights to perform certain tasks. When you create a local user or group account on Windows XP, it is stored in the local security database and can be used only on the local computer. If the computer is a member of a domain, you need a domain user account instead of a local user account to be able to access resources in the domain. If the computer is a member of a workgroup and you want to be able to log on to other computers using a single user name, you need to create an identical user account on each of the computers you want to access.

Windows XP provides two built-in users, Administrator and Guest. The Administrator account is a member of the local Administrators group and has full permissions to all local resources by default. This is the account you use to configure your computer, i.e. create other user accounts and assign permissions and rights. You cannot delete or disabled the Administrator account. The Guest account is disabled by default. The Administrator can enable it to allow guests, people who do not have a user account, to logon to the computer. You should rename the built-in accounts to make it more difficult for a malicious individual to gain access by guessing account names and password.

The main purpose of a local group account is to simplify administration by allowing permissions and rights to be assigned to a collection of users instead of an individual user. When you assign or change permissions or rights to a group, all the members in that group will inherit those permissions or rights. Local groups cannot have other local groups as members, only user accounts. Windows XP includes the following groups by default:

Administrators – Have full permissions by default and can change their own permissions and rights as well as those of other users and groups. Can also take ownership of files.
Backup Operators – Can back up or restore files without being limited by file permissions. Backup Operators can also log on locally and shutdown the system.
Guests – Have the same permissions and right as the Users group by default. The Guest user account is the only member and is disabled by default.
Network Configuration Operators – Have limited administrative access to configure network settings.
Power Users – Have limited administrative access. They can create new user accounts, not modify or delete existing accounts, and they can remove users from the Power Users, Users, and Guests groups but cannot modify the Administrators or Backup Operators groups.
Remote Desktop Users – Have the right to logon remotely, to be able to use the Remote Desktop feature to connect and logon to this computer.
Replicator – Group account used for file replication in a domain. Do not add regular user accounts to this group.
Users – Have sufficient permissions and rights to run certified Windows applications, but cannot run most legacy applications. This prevents regular users from making system-wide changes. Members of the Users group can create new groups, not modify or delete other groups.
HelpServicesGroup – Group for the Help and Support Center.

Following are some of the special identities in Windows XP that are similar to groups, but to which users are automatically added depending on how they access the computer. You cannot add users to these groups manually, but you can assign permissions to them.

Anonymous Logon – Users that connected without logging on to the computer.
Authenticated Users – Users that connected and are authenticated by the local computer. Does not include the Guest account.
Everyone – Includes Authenticated Users and Guest.
Interactive – User that logged on locally or through a Remote Desktop connection.
Network – Users that connected over the network and are logged on to the local computer.

Account settings

You can manage users and groups on you local computer by using the Local Users and Groups snap-in of Computer Management, shown below. To create a new account, right-click the Users or Groups container and select New User or New Group. To rename, delete, or set a password for the user account, right-click it in Local User and Groups and select the corresponding task.

To change the settings of a user or group account, double-click it to open its properties. On the General tab of a user account’s properties, shown below, you can enter a full name and a description for the user account.

Additionally, the General tab provides the following account settings:

User must change password at next logon – When this setting is enabled, the user will be required to change the password the next time he or she logs on.
User cannot change password – When this setting is enabled, the user cannot change the password.
Password never expires – When this setting is enabled, the password will not expire even if it is older than specified in the Maximum password age policy.
Account is disabled – When this setting is enabled, the user account will be disabled and cannot be used to logon.
Account is locked out – This setting will be enabled automatically when a user enters an incorrect password for the number of times specified in the Account lockout threshold policy. The account will be locked out for the duration specified in the Account lockout duration policy, or until an Administrator disables this setting manually. Both these Account Lockout Policy settings will be discussed in the next section.

The Member Of tab of a user account’s Properties sheet lists the local groups of which the user is a member. If you want to add a user to a group, you can click the Add button on the Member Of tab of a user account, or the Members tab of the group account’s Properties.

The Profile tab allows you to provide a path to the profile (discussed in the Desktop Environment TechNotes) and a login script. You can also provide a path for a user’s home folder, and optionally map it to a drive letter. These options are typically only used when the computer is a member of a domain.

Another, limited way to manage local users is by using User Accounts from the control panel. One option of User Accounts that is worth mentioning is the Manage my network passwords, available under Related Tasks, which provides access to the Stored User Names and Passwords dialog. The latter will be discussed in more detail in the Local Security Configuration TechNotes.

Account Policy

Account policies are group policy settings that can be used to enforce a password and account lockout policy for the local computer. You can access the account policy settings in the Account Policies section of the Local Security Policy, which is available in the Administrative Tools section and in the Windows Settings section under Computer Configuration in the Group Policy editor (gpedit.msc). You must be a member of the Administrators group to be able to configure account policy settings. Windows includes the following account policy settings:

Password Policy
Enforce password history – Specifies how many different passwords have to be used before an old password can be reused. The default value is 1. If you set the value to 0 Windows XP won’t maintain a password history.
Maximum password age – Specifies the maximum number of days the same password can be used before requiring the user to change it. The default value is 42. The password will not expire if you set the value to 0.
Minimum password age – Specifies how many days a password must be used before the user can change it. The default value is 0.
Minimum password length – Specifies the minimum password length. MS recommends a minimum of 8. A password won’t be required if you set the value to 0.
Passwords must meet complexity requirements – Enable this policy to enforce the following minimum requirements for passwords:
      o Cannot contain the user's account name or part of it
      o Must be 6 characters in length or longer
      o Must contain characters from three of the following four categories:
            - Uppercase characters (A through Z)
            - Lowercase characters (a through z)
            - 0 through 9
            - Nonalphanumeric characters (e.g., !, $, #, %)
Store password using reversible encryption for all users in the domain – Enabling this policy allows applications using authentication protocols that require plaintext passwords, such as CHAP, access to the password. Never enable this option.

Account Lockout Policy
Account lockout duration – Specifies the number of minutes a locked-out account remains locked out before automatically being unlocked. If you set the value to 0, the account will remain locked out until an administrator manually unlocks it (by disabling the Account is locked out user account setting in Local Users and Groups).
Account lockout threshold – Specifies the number of failed logon attempts that result in a user account becoming locked out. Accounts will never be locked out by if you set this value to 0. This setting does not apply to failed password attempts on a computer locked using Ctrl+Alt+Delete or a screen saver.
Reset account lockout counter after – Determines the number of minutes that must elapse after a failed logon attempt before the failed logon attempt counter is reset to 0 bad logon attempts.

User Rights Assignments

Windows XP allows you to assign rights to users and groups, which authorize users to perform specific tasks on the local computer. Rights are not the same as permissions; the latter is used to authorize access for groups and users to objects such as files and printers. You can assign these rights to user or group accounts in the User Rights Assignments section of the Local Security Policy, which is available in the Administrative Tools section. You can also find them under Local Policies in the Windows Settings section under Computer Configuration in the Group Policy editor (gpedit.msc).There are two different types of user rights: logon rights and privileges. The following list shows some of the common user rights for both types.

Logon Rights
Log on locally – Allows a user to log on to the local computer
• Log on as a service – Allows you to create a system account for services
• Access this computer from a network – Allows a user access to this computer through a network connection.
• Allow logon through terminal services – Allows a user to log on to this computer through a Remote Desktop connection.
• Deny local logon – Allows you to explicitly deny local logon to users who are assigned the right to Log on locally through group membership.
• Deny logon through terminal services – Allows you to explicitly deny Remote Desktop access to users who are assigned the right to Allow logon through terminal service through group membership.

Load and unload device drivers – Specifies which users can load and unload device drivers for Plug and Play devices.
Change the system time – Specifies which users can change the system time.
Manage auditing and security log – Specifies which users are allowed to specify object access auditing options for individual resources. A user who has this privilege also can view and clear the security log from Event Viewer.
Remove computer from docking station – Specifies which users are allowed to remove their portable computer from a docking station by selecting Eject PC from the Start menu.
Restore files and directories – Specifies which users are allowed to bypass permission to be able to restore data.
Shut down the system – Specifies which users are allowed to shut down the computer.

Click the following the link for a more complete and detailed overview of the available user rights in Windows XP: User Rights Assignment.


Current related exam objectives for the 70-270 exam:

Configuring, Managing, and Troubleshooting Security

Configure, manage, and troubleshoot local user and group accounts.
- Configure, manage, and troubleshoot account settings.
- Configure, manage, and troubleshoot account policy.
- Configure, manage, and troubleshoot user and group rights.

Date: Wednesday, March 23, 2005
Author: Johan Hiemstra
MCSE NT4 MCSA 2000/2003